Nick Cucci

Nick Cucci

August 12, 2018

PCI Complaince Simplified

You'd think a titan like Capital One would be PCI compliant, but a misconfigured firewall was reportedly behind the recent theft of data related to approximately 100 million businesses and individuals that applied for Capital One credit cards. If true, Capital One failed the requirement set forth in the Payment Card Industry Data Security Standard (PCI DSS): Install and maintain a firewall configuration to protect cardholder data. Unfortunately, Capital One is not alone.

The PCI DSS applies to all companies of all sizes that accept, store and transmit cardholder data, including, for example, merchants, payment gateways and processors.

According to The Privacy Rights Clearinghouse, over 11 billion consumer records have been compromised from more than 10,000 breaches. The purpose of PCI compliance is to protect cardholder data and restore trust in the payment process. It sets forth a minimum standard for security and data. If you abide only by the PCI DSS, you are already behind.

  • Retail organizations demonstrated the lowest PCI compliance sustainability across all key industries.
  • The IT service industry achieved the highest ranking.
  • 77 percent of companies assessed after a data breach were not in compliance with the number one PCI requirement to install and maintain a firewall configuration.
  • A "demonstrable" correlation exists between businesses that are up to date on PCI requirements and businesses that have successfully defended themselves against cyber threats.
  • The number of fully compliant businesses is growing dramatically year over year.

Main areas of PCI compliance

The PCI DSS can get muddy quickly. It contains over 1,800 pages of official documentation and more than 250 security controls to follow. It can take reading 100+ pages before you figure out what form of compliancy you are required to abide by.

The three main areas of PCI DSS compliance are:

  1. Handling and transmission of customers' credit card data and other sensitive information. If your merchant or company doesn't need to handle sensitive data, don't. Use a third party from a processor to a processor-agnostic payment gateway. Let the liability of maintaining compliance lie with the "service provider." Gateways can accept and store data while removing merchants from PCI scope. Data will never touch the merchants' servers, making the company's PCI compliance straightforward as a Self-Assessment Questionnaire.

  2. Storing data securely. This includes such actions as encryption, ongoing monitoring and security testing of access to card data. If you or your merchants are going to store credit card data, you need to define the cardholder data environment (CDE). The CDE is described as the people, process and technologies that store/process/submit cardholder data. This is where mapping data flows is extremely important. You need to identify every consumer-facing area of the business. Ask questions, for example: Do you use a shopping cart? Terminals for retail? Orders over the telephone?

    From each one of those standpoints, map the ways in which data is transferred and who has access to it. Finally, after the data has been transferred, identify internal systems or technologies that touch the transactions. This is inclusive of everything from your network to data centers and even cloud environments like payment gateways. It is highly recommended that you use a third party, for example, a payment gateway, to store and process transactions.

    Using a cloud-based service provides high availability included in a bundled price, while also offering multiple infrastructure solutions. It makes things a lot easier to integrate to or even have data-redundant backups in multiple Internet grids. For instance, instead of large payment companies having to host in multiple data centers on different Internet grids, you can spin up virtual machines in each grid using the cloud systems like Google Compute engine or Amazon Web Services.

    Also take into consideration the cost of buying servers for each location. It can quickly require millions of dollars, depending on the infrastructure you want to achieve. Plus, if a company is sever based in multiple data centers, is it "hot swap" capable? Most likely not.

  3. Validating annually to main compliance. Your business is required to validate your compliance every year. This is an absolute must and can take a variety of forms such as questionnaires, external scans and third-party audits. Your business partners may request this before engaging in future business with you to mitigate their own risk and make sure things are as compliant as they seem – hopefully more so. Payment processors typically request this validation, as they are responsible for reporting compliance to the card brands.

Level 1 compliance

The four levels of PCI compliance are usually based on volume during a 12-month period. Level 1 applies to:

  • Businesses that process more than 6 million transactions annually or
  • Businesses that have experienced a data breach, or
  • Businesses that are deemed Level 1 by any card brand Level 1 requirements include:
  • Annual report on compliance by a Qualified Security Assessor (QSA), which requires an on-site assessment.
  • Quarterly network scans by Approved Scan Vendors (ASV)
  • Attestation of compliance (AOC) for on-site assessments.

Levels 2, 3 and 4 compliance

Simply summarized, Level 2 applies to organizations that process between 1 and 6 million transactions annually; Level 3 applies organizations that process between 20,000 and 1 million total transactions annually; and Level 4 applies to organizations that process fewer than 20,000 transactions annually.

Level 2, 3 and 4 requirements include:

  • Annual PCI DSS-Self Assessment Questionnaire (SAQ). There are nine SAQ types.
  • Quarterly network scans by ASVs.
  • Attestation of compliance (AOC); all nine SAQs have corresponding AOC forms.

For further details on Levels 1 through 4 and their requirements, visit the PCI Security Standards website at www.pcisecuritystandards.org. PCI compliance is a process involving continuous effort, not a once a year occurrence. And as your business/portfolio grows, so will your compliance needs. Being vigilant about this will provide you with confidence to keep your business on track and fraudsters away. Do not take the path of least resistance.